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INTRODUCTION 


AWARENESS OF THE METHODOLOGIES 
INTRUDERS USE TO BREAK INTO COMPUTER 
SYSTEMS IS AS ESSENTIAL AS KNOWING THE 
SECURITY MODELS PRESENTED EARLIER 


To meet their targets effectively, attackers follow 
specific intrusion methodologies: 


@ WITH TYPICAL, REMOTE ATTACKS, an 
intruder sets out to gather as many information 
as possible about the targeted system 


NEXT, THE ATTACK WILL TRY to 
enumerate all the hosts connected to the 
Internet or a local network of the target 





INTRODUCTION 


THERE IS A WEALTH of confidential data 
sent over the networks, and the attacker 
may obtain it by eavesdropping on the 
packets 





© AFTER ACCESSING and taking over the 
targeted system, the attacker will try to 
obtain admin privileges, obtain all user 
passwords and make another connection 
feasible 


THE LONGER AN ATTACK remains 
undiscovered, the more benefits the 
attacker will reap from illegally accessing 
the information 





LOCAL ATTACKS 


MOST COMPUTERS ARE NOT 
PROTECTED FROM LOCAL ATTACKS 


A computers operating system cannot 
ensure its total security: even the best OS 
is not an obstacle if an attacker wants to 
connect a device to the computer 








LOCAL ATTACKS 


Protective measures: 


All personnel on 
company’s premises 
should wear a hard-to- 
forge identity card 
conspicuously 


Outside parties should Don’t just assume the 
not be able to access man wearing courier shirt 
company premises is really who he claims 

unaccompanied to be 








LOCAL ATTACKS 


Protective measures: 


The primary boot volume Every time someone 

should be the hard drive takes apart aPC case, 
that contains your admins and users should 
operating system be present 


Make sure you are not 
observed when entering 
a password 








LOCAL ATTACKS 


Protective measures: 


When you end work, shut If unattended, a 
down your computer computer must be 
instead of hibernating it automatically blocked 


The BIOS should be 
password-protected 








LOCAL ATTACKS 








TARGET SCANNING 
AND ENUMERATION TECHNIQUES 


LOWER-LAYER PROTOCOLS 
(layers 1-4) lack even the most 


NETWORK basic of security measures 


PROTOCOLS 
DESIGNED ALTHOUGH RFC DOCUMENTS 


defining the OSI model feature a great 
DECADES AGO level of detail, they dont cover En 
ARE STILL IN USE implementation issues, for example don't 
TODAY. specify how Ethernet frames should be 
They cannot provide padded. In 2003 Ofir Arkin and Josh 
adequate security for Anderson noticed many operating systems 
computers against (Windows and Linux included) pad the 
current threats: too-short frames with random data culled 
PROTOCOLS from memory 
of different 
layers trust 
each other 








TARGET SCANNING 
AND ENUMERATION TECHNIQUES 


THINKING THAT NETWORK 
switches prevent people from 
eavesdropping on packets sent 


THE OSI MODEL PROTOCOLS between computers is a myth 


have been created forty years 
ago and their age means they 
cannot be secured well without 
introducing new standards and 
redesigning every network 
device and program. To give 
you an example: 














IT’S NOT TRUE 

that you can isolate 
computers effectively 
using managed 
switches and trunking 








TARGET SCANNING 
AND ENUMERATION TECHNIQUES 


THE WAY NETWORK PROTOCOLS 

are built and implemented means the most 
popular and easiest manner of retrieving 
information about a remote system is scanning. 
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SCANNING INVOLVES TESTING 

if the transport layer protocols (TCP or UDP) 
can be used to establish a connection with 
remote hosts. Because the majority of standard 
network services makes operate on well- 
known ports, knowing which ports are open 
lets you enumerate which network services are 
running in a remote system and what operating 
system is used 
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TARGET SCANNING 
AND ENUMERATION TECHNIQUES 









SCANNING SENE 
E TACTICS FOR 


scanning) SCANNING 
TCP PORTS TCP FIN 


SCANNING 


FRAGMENTATION 
SCANNING 





TARGET SCANNING 
AND ENUMERATION TECHNIQUES 


oO Scanning by procuring error messages 


BECAUSE UDP 

is a connectionless 
protocol, the tactics for 
identifying open UDP 
ports are more 
complex: 














ICMP Port Unreachable scanning 





TARGET SCANNING 
AND ENUMERATION TECHNIQUES 


SCANNING CAN KEEP ATTACKER’S 
IDENTITY HIDDEN: 


Scanners are running on computers 
that have been broken into 





Packets are sent using the 
attackers IP and a certain number 
of fake IP addresses (diversion 
scanning) 





PACKET (INITIAL IPID PROBE) 
OD DO Doo 
¿cócoco i 


RESPONSE, IPID=34567 





PACKET (CURRENT IPID PROBE) 
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RESPONSE, IPID=34569 


TARGET e 





TARGET SCANNING 
AND ENUMERATION TECHNIQUES 


PACKET (INITIAL IPID PROBE) 


DODO 
scccocs Ea 


RESPONSE, IPID=34567 


In 1998 Salvatore Sanfilippo came up 
with the notion of an idle scan. This 
Scan exploits a computer procedure 
described in RFC 791. When a host 
receives an unexpected packet, it should 





send back the RST message to the Legen 
sender. An exception is when it receives Ann | ZOMBIE 
an unexpected RST packet, which o t 

| eS 
should be ignored eo 
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TARGET SCANNING 
AND ENUMERATION TECHNIQUES 


ALSO PASSIVE SCANNING 
techniques can make an 
attack undiscoverable. The 
basis of this scanning, which 
consists of the analysis of 
scan packets sent over the 
web, is the fact there are no 
two identical 
implementations of the OSI 
model protocols 





TARGET SCANNING 
AND ENUMERATION TECHNIQUES 


THE TTL ATTRIBUTE (TIME TO LIVE) OF IP PACKETS. IP SERVICE TYPE 


In theory, it should specify packet 
priority, but since it doesn't have any 
effect on sending the packet over the 
web, it is practically set to a fixed value 
standard for a given system 










Since RFC doesnt specify what the 
initial value of TTL should be, OS 

developers pick one that suits them rá 
best. Windows systems, for instance, 
set it at 128, Linux — at 64, and earlier 
versions of Unix the value equals 225 


PASS IVE TCP MESSAGE SOURCE PORT NUMBER 


gt SCANNING 


i USES ee 





TCP WINDOW SIZE. 







every OS uses a different 
formula to assign TCP source 
ports to applications 






This attributes specifies the 
maximum potential amount of 
data that can be received 
within a TCP session without 
sending an acknowledgement. 


The default window size depends on OS version run by a 


computer. In earlier Linux systems its 16,384, while in 
Windows it's 64,512 ES © 








TARGET SCANNING 
AND ENUMERATION TECHNIQUES 


ha 
) Nessus 





Reports 


SCANNING IS USED TO FIND z y m 
AND IDENTIFY REMOTE m —— "S 





0 / k 5 OpenSSi Detecton www (44.Mcp) 

SYST E M S W H | L E T H E G OA L O F fr 51192 SSL Certficate signed with an unknown Certificate Autonty www (4434p) 
9 3306 / top 51091 SSL Session Resume Supported www (4430p) 

45410 SSL Cortficate commonName Mismatch www (44 Mep) 

ENUMERATING IS TO IDENTIFY a == 
11032 Web Server Dirediory Enumeraton www (443 4cp) 

10862 Wed mirroring www (44 Mcp) 

W E A K P O | N TS A N D 51080 Web Server Uses Base Authecticaton over HTTPS www (44. Mcp) 
> cali 39463 HTTP Server Cookies Set www (4434cp) 

Reset Friera 49708 External URLS www (443Acp) 

VULNERABILITIES OF A SYSTEM sn raen En ae BE 
10107 HTTP Server Type and Version www (4431p) 

40773 Web Application Potentially Sensitive COGI Parameter Detection www (4434cp) 

18297 WordPress Detection www (443A4cp) 

= = 24200 HyperTaxt Transfer Protocol (HTTP) information www (44 Mcp) 
Security scanners like Nessus are nun ri do anes 
10502 Web Server robots tt information Diedosure www (4434cp) 


used for enumeration ES cee 


CGI Genera Tests Load Estimation (all tests) www (4434cp) 













































































MOST 
WEBSITES 
ARE 
INTERACTIVE 








DEVELOPERS 
AND DESIGNERS 
STILL ARE NOT 
ADEQUATELY 
SECURITY- 





MINDED 









09000000 


EXERCISE 


Scanning to identify a target 


PUBLICLY AVAILABLE REGISTRATION INFO: 
www.news.netcraft.com, whois 


TRACING PACKET ROUTES: 
pathping, VisualRoute 





FOUNDSTONE’S SCANLINE 


IDLE SCAN 
using nmap 


PASSIVE SCANNING 
using POf 

FINDING VULNERABLE SERVERS 
and websites using Site Digger 


ENUMERATING USING NESSUS 





INTRUSION METHODS AND TAKING OVER 


Three groups of attacks: 





ATTACKS PASSWORD USER-TARGETING 
that stem from failing and user credential attacks: by manipulating the 
to properly validate theft attacks: feelings of fear, greed or 

input, including buffer password may trust (three social 

overflow attacks, SQL either be cracked or engineering pillars), attackers 
Injection attacks, determined are trying to obtain 
running malicious otherwise confidential data from users 

scripts and modifying or encourage them to run 


files malicious software & © 





INTRUSION METHODS AND TAKING OVER 


ONCE ATTACKERS HAVE BROKEN INTO COMPUTER, THEY WILL ENSURE THEY CAN 
RETURN TO IT. THIS REQUIRES HAVING THE COMPUTER RUN MALWARE 


If the attacked system is running Windows, to control it remotely its enough to use the 
Sysinternals Suite package available at http://technet.microsoft.com/en-us/sysinternals 


GAINING CONTROL OVER A TARGET COMPUTER ALLOWS AN ATTACKER TO: 


Run any program 


Stop and launch any service 









Modify system settings and program settings 


Obtain passwords for all other users in the remote system 





WAYS TO HIDE AND ATTACK 


IF IT IS EXECUTED WELL, THE ATTACK CAN 
REMAIN UNDETECTED 
Once attackers have full control over a system, 
preventing them from removing traces of the 
intrusion is very difficult. 


WHILE WINDOWS USERS ACTIVITY MAY BE 
AUDITED AND RECORDED in a security log, an 
attacker is able to turn off event auditing and wipe 
out security logs. To stop monitoring, its enough 
to use AuditPol, a program included in the 
Resource Kit package, while to delete a security 
log, you may use for example ClearLogs (available 
at http://ntsecurity.nu/toolbox) 





WAYS TO HIDE AND ATTACK 





HOWEVER, AN EMPTY LOG IS A CLEAR SIGN 
OF AN INTRUSION, and the attacker would 
probably prefer to remove only some specific 
entries. This can be done for example by running 
WinZipper on the attacked machine 


THE BEST TECHNIQUE ATTACKERS MAY USE 
TO ENSURE they will be able to re-connect with 
the targeted computer is installing an additional 
service in the computer. Malicious services may 
be easily hidden behind either system services 
like svchosts or obfuscated by using a rootkit 














